DA SV
legislation

NIS 2 directive in Europe implementation by country

6 minutes read
NIS 2 directive in Europe implementation by country

Overview of the current implementation status of the NIS 2 directive across EU countries with a map and summaries of national transposition progress.

What is the NIS 2 directive?

The NIS 2 directive is a comprehensive revision of the original NIS Directive from 2016 and aims to raise cybersecurity standards across the EU. Key features include:

  • Expanded scope to additional sectors
  • Stricter security requirements
  • Improved incident reporting obligations
  • Applicability to a wide range of “essential” and “important” entities across sectors

EU Member States are required to transpose NIS 2 into national law by 17 October 2024. For many countries this entails significant changes to national cybersecurity laws and governance structures.

Overview of the NIS 2 implementation status in the EU

The map below illustrated the implementation status of the NIS 2 directive in EU Member States as of 17 October 2024. Countries are grouped into four categories indicated by different colors:

  • Red: No (public) draft known. Examples include France, Spain and Ireland.
  • Orange: Draft is in (public) discussion. Includes countries such as Sweden, the Netherlands and Poland.
  • Blue: Draft is in parliamentary voting. Includes Germany, Austria, Finland and Italy.
  • Green: Law already adopted. This applies to Belgium, Greece and some eastern European states.

The map shows that implementation progress varies widely across the EU. While some countries are well advanced, others remain at early stages of the process. This highlights the challenge of achieving uniform implementation across the Union.

Countries that have already adopted a law

Seven countries have already adopted national laws to implement the NIS 2 directive:

  • Belgium
  • Italy
  • Croatia
  • Latvia
  • Lithuania
  • Romania
  • Hungary

Countries with a law or draft

Twelve countries have submitted drafts that are either in public discussion or already in the legislative process:

  • Denmark
  • Germany
  • Finland
  • Luxembourg
  • Netherlands
  • Austria
  • Poland
  • Sweden
  • Slovakia
  • Slovenia
  • Czech Republic
  • Cyprus

Countries without a public draft

For seven countries no public draft is currently known:

  • Bulgaria
  • Estonia
  • France
  • Greece
  • Malta
  • Portugal
  • Spain

Detailed country overview of the NIS 2 implementation

The table below provides a detailed overview of the current implementation status of the NIS 2 directive in all EU Member States. For each country the current status is indicated and, where available, direct links to the relevant legal texts or drafts are provided.

Country Status / latest update Link to text / draft
Belgium Law adopted, entry into force on 18.10.2024 Text in French: https://www.ejustice.just.fgov.be/cgi/article.pl?language=fr&sum_date=2024-05-17&lg_txt=f&caller=sum&s_editie=1&2024202344=4&numac_search=2024202344&view_numac=2024202344f
Bulgaria No public draft known N/A
Denmark 05.07.2024: Draft in public consultation until 22.08.2024 Overview: https://hoeringsportalen.dk/Hearing/Details/68921<br><br>Draft in Danish: https://prodstoragehoeringspo.blob.core.windows.net/535dd4d9-0b77-4d4c-a977-7afdfc82b1c7/Udkast%20til%20forslag%20til%20lov%20om%20foranstaltninger%20til%20sikring%20af%20et%20h%C3%B8jt%20cybersikkerhedsniveau.pdf
Germany 02.10.2024: Draft in parliamentary voting Overview: https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/nis2umsucg.html<br><br>Draft in German: https://dserver.bundestag.de/btd/20/131/2013184.pdf
Estonia No public draft known N/A
Finland 05.06.2024: Draft in parliamentary voting Overview: https://www.eduskunta.fi/FI/vaski/KasittelytiedotValtiopaivaasia/Sivut/HE_57+2024.aspx<br><br>Draft in Finnish: https://www.eduskunta.fi/FI/vaski/HallituksenEsitys/Sivut/HE_57+2024.aspx
France 30.05.2024: Consultations with stakeholders started, but no public draft known N/A
Greece No public draft known N/A
Ireland 30.08.2024: Draft in parliamentary voting Overview: https://www.gov.ie/en/publication/229af-general-scheme-of-the-national-cyber-security-bill-2024/?<br><br>Text in English: https://www.gov.ie/pdf/?file=https://assets.gov.ie/303962/aa59bc78-e82d-4e74-9e95-b05c0c5a83a1.pdf#page=null
Italy Law adopted, entry into force on 18.10.2024 Text in Italian: https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG
Croatia Law adopted, entry into force on 15.02.2024 Text in Croatian: https://narodne-novine.nn.hr/clanci/sluzbeni/2024_02_14_254.html
Latvia Law adopted, entry into force on 01.09.2024 Text in Latvian: https://titania.saeima.lv/LIVS14/saeimalivs14.nsf/0/0ED799CB5B0BDE64C2258B4D0039D5CD?OpenDocument
Lithuania Law adopted, entry into force on 18.10.2024 Text in Lithuanian: https://e-seimas.lrs.lt/portal/legalAct/lt/TAP/90d948a02e3811efb121d2fe3a0eff27?jfwid=ad7biqq05
Luxembourg 14.03.2024: Draft in parliamentary voting Overview: https://www.chd.lu/fr/dossier/8364<br><br>Text in French: https://wdocs-pub.chd.lu/docs/exped/0146/064/292642.pdf
Malta No public draft known N/A
Netherlands Draft in public consultation (until 01.07.2024) Overview: https://www.internetconsultatie.nl/cyberbeveiligingswet/b1<br><br>Draft in Dutch: https://www.internetconsultatie.nl/cyberbeveiligingswet/document/12561
Austria 04.07.2024: Draft (NISG 2024) not adopted in the National Council Details about the rejection: https://www.parlament.gv.at/aktuelles/pk/jahr_2024/pk0785#XXVII_NRSITZ_00270<br><br>Text in German: https://www.parlament.gv.at/dokument/XXVII/I/2638/fnameorig_1637236.html
Poland Draft in public consultation (until 24.05.2024) Overview: https://mc.bip.gov.pl/projekty-aktow-prawnych-mc/902927_projekt-ustawy-o-zmianie-ustawy-o-krajowym-systemie-cyberbezpieczenstwa-oraz-niektorych-innych-ustaw.html
Portugal No public draft known N/A
Romania Law / ordinance adopted, entry into force 30.10.2024 Text in Romanian: https://dnsc.ro/vezi/document/oug-privind-transpunerea-directivei-nis-2
Sweden 05.03.2024: Draft presented Overview: https://www.regeringen.se/rattsliga-dokument/statens-offentliga-utredningar/2024/03/sou-202418/<br><br>Draft in Swedish: https://www.regeringen.se/contentassets/1e56bf5cad214fc78eb80d91c11cccb6/nya-regler-om-cybersakerhet-sou-202418.pdf
Slovakia 20.06.2024: Evaluation of consultation comments Overview: https://www.slov-lex.sk/legislativne-procesy/-/SK/LP/2024/264<br><br>Drafts in Slovak: https://www.slov-lex.sk/legislativne-procesy/-/SK/dokumenty/LP-2024-264
Slovenia 15.05.2024: New draft after consultation Overview: https://e-uprava.gov.si/si/drzava-in-druzba/e-demokracija/predlogi-predpisov/predlog-predpisa.html?id=16290<br><br>Draft in Slovene: https://e-uprava.gov.si/.download/edemokracija/datotekaVsebina/674583?disposition=attachment
Spain No public draft known, general consultation (until 17.10.2023) N/A
Czech Republic 17.07.2024: In parliamentary voting (debate in the Chamber of Deputies) Overview: https://odok.cz/portal/veklep/material/ALBSCSSG44YX/<br><br>Text in Czech: https://odok.cz/portal/services/download/attachment/ALBSD7FGWBLS/
Hungary Law adopted, entry into force on 18.10.2024 Text in English: https://njt.hu/jogszabaly/en/2023-23-00-00 <br>Text in Hungarian: https://njt.hu/jogszabaly/2023-23-00-00.5
Cyprus 21.08.2024: New draft after consultation Draft in Greek: https://dsa.cy/images/pdf-upload/proposed-updated-dsa-law-for-nis2.pdf

Implementation status (as of 17.10.2024)

Please note that the implementation status is a snapshot as of the specified date and may change rapidly due to the dynamic nature of the legislative process.

Support for implementing the NIS 2 directive

Implementing the NIS 2 directive is a complex challenge for many organizations. Our experienced cybersecurity team provides comprehensive support for transposition of this important directive. We can help with:

  • Conducting gap analyses to identify required actions
  • Developing tailored implementation strategies
  • Training your staff on NIS 2 requirements
  • Supporting the establishment of effective risk management and reporting processes

We understand the specific challenges of different industries and tailor our advisory services to your needs. Our aim is not only to help you comply with NIS 2 requirements but also to strengthen your overall cybersecurity resilience.

Contact us for a non-binding initial consultation in which we will jointly determine how we can assist you in implementing the NIS 2 directive efficiently and effectively.

Conclusion

The transposition of the NIS 2 directive across EU Member States shows clear progress but remains uneven. While some countries have already adopted laws, others are still at early stages. Most states recognize the need for stronger cybersecurity measures and are actively working on implementation. Nevertheless, meeting the deadline and achieving uniform transposition by October 2024 remains a significant challenge.

It is expected that countries still in early phases will intensify their efforts in the coming months to meet the deadline. Progress in the various Member States will continue to be closely monitored to ensure a high common level of cybersecurity across the EU.

Note: This overview reflects the status as of 17 October 2024. Given the dynamic nature of legislative processes, information may change quickly. Please always refer to official sources for the most current information.